{"id":236843,"date":"2026-04-27T08:29:00","date_gmt":"2026-04-27T12:29:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/04\/27\/openssh-flaw-allowing-full-root-shell-access-lurked-for-15-years\/"},"modified":"2026-04-28T21:55:14","modified_gmt":"2026-04-29T01:55:14","slug":"openssh-flaw-allowing-full-root-shell-access-lurked-for-15-years","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/04\/27\/openssh-flaw-allowing-full-root-shell-access-lurked-for-15-years\/","title":{"rendered":"OpenSSH Flaw Allowing Full Root Shell Access Lurked for 15 Years"},"content":{"rendered":"<p><a href=\"https:\/\/www.securityweek.com\/openssh-flaw-allowing-full-root-shell-access-lurked-for-15-years\/\">OpenSSH Flaw Allowing Full Root Shell Access Lurked for 15 Years<\/a><\/p>\n<p><a href=\"https:\/\/www.securityweek.com\/openssh-flaw-allowing-full-root-shell-access-lurked-for-15-years\/\">https:\/\/www.securityweek.com\/openssh-flaw-allowing-full-root-shell-access-lurked-for-15-years\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-04-27 08:29:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.securityweek.com\">www.securityweek.com<\/a><\/p>\n<p><strong>OpenSSH versions released over the past 15 years are affected by a vulnerability leading to full root shell access, and attacks cannot be spotted via log-based detection, data security firm Cyera says.<\/strong><\/p>\n<p>Tracked as CVE-2026-35414 (CVSS score of 8.1), the flaw is described as a mishandling of the authorized_keys principals option in certain scenarios involving certificate authorities (CA) that use comma characters.<\/p>\n<p>According to Cyera, because of the bug, a comma in an SSH certificate principal name leads to OpenSSH access control bypass, allowing users to authenticate as root on a vulnerable server, as long as they have a valid certificate from a trusted CA.<\/p>\n<p>\u201cThe flaw resides in a code reuse error that accidentally allowed a simple comma in a certificate principal to be interpreted as a list separator by the parser, turning a low-privilege identity into a root credential,\u201d Cyera told SecurityWeek.<\/p>\n<p>\u201cThe server considers the authentication legitimate, meaning this attack does not register an authentication failure in logs, making log-based detection highly unreliable,\u201d it added.<\/p>\n<p>CVE-2026-35414, the cybersecurity firm explains, involves the principals list, which includes the usernames that a certificate holder may authenticate as, and the authorized_keys principals, which contain the keys the servers use to trust certificates.<\/p>\n<p><span class=\"zox-ad-label\">Advertisement. Scroll to continue reading.<\/span><\/p>\n<p>The issue is that a function that handles cipher and key-exchange list negotiation compares comma-separated lists of ciphers during key exchange, splits on the comma, and enables authentication if either fragment matches the principal\u2019s value.<\/p>\n<p>Because of the bug, if a certificate contains the principal deploy,root, OpenSSH splits the comma and enables full root access.<\/p>\n<p>A second function that also checks authorization treats the same principal as a single string and denies access. However, if the string matches, the options that run next result in principal&#8230;<\/p>\n<p><a href=\"https:\/\/www.securityweek.com\/openssh-flaw-allowing-full-root-shell-access-lurked-for-15-years\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>OpenSSH Flaw Allowing Full Root Shell Access Lurked for 15 Years https:\/\/www.securityweek.com\/openssh-flaw-allowing-full-root-shell-access-lurked-for-15-years\/ Publish Date: 2026-04-27&#8230;<\/p>\n","protected":false},"author":1,"featured_media":236844,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.securityweek.com\/wp-content\/uploads\/2024\/04\/vulnerability.jpeg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,28,27],"class_list":["post-236843","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-data-security","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/236843"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=236843"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/236843\/revisions"}],"predecessor-version":[{"id":236845,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/236843\/revisions\/236845"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/236844"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=236843"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=236843"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=236843"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}